Do you have protection? Why it's time to reset your passwords to outfox cybercriminals

‘Hackers use trending topics on social media to lure people to download malware’

While you’re on Twitter, discussing this week’s upcoming Honourable Woman finale or maybe even the Israel/Palestine conflict itself, somebody is watching. The cyber bad guys will tempt you, using the terms from your own online discussions, to click on a link and you’re hacked — in a bad way.

“The cybercriminal underground is extremely innovative and creative, very motivated to try new things and very persistent,” explains Keren Elazari, an Israeli security expert and analyst at Gigaom who spoke at a recent WIRED Money event in London on the power of hackers, both good and bad.

“We think of them like muggers who just want to steal a wallet. Actually they’re more like stalkers and they want your wallet and they will go after specific employees within an organisation.They use key words from trending topics on social media to lure people to sites and download malware. They’re using current events.”

With high-profile cyber threats constantly cropping up — from dangerous coding holes such as Heartbleed to recent news that a Russian crime ring has amassed a collection of 1.2 billion user name and password combinations from nearly half a million websites — it feels like we’re being attacked from every angle.

“Cybercrime cost the world £238 billion last year and it’s exponential,” says Brian Higgins, head of the schools programme at the Cyber Security Challenge, which runs competitions to find budding cyber-security professionals. “Most attacks are based on what has come before. It’s not necessary for a cyber attacker to come up with something entirely new — they can change a few lines of code and hopefully get past the patches.”

“Sooner or later you will get caught up in something,” adds Adrian Davis, managing director for EMEA at (ISC)2, The International Information Systems Security Certification Consortium. “Everything you do online provides the bad guys with a readily available source with which to target you — if they wish.”

In a recent Tweetdeck hack an exploited flaw in the code forced users to retweet a line of script automatically. This was not malicious — instead being picked up first by a teenager who warned Twitter. But “if it had been found by somebody malicious you wouldn’t have heard about it until after they had exploited it. Once everyone knows [about a flaw] it’s a race against the clock for the good guys to fix it before the bad guys exploit it,” says Paco Hope, security expert and principal consultant at Cigital. The Twitter flaw took just 96 minutes to exploit by another user, who created the self-retweeting tweet simply to prove its potential. “We’re going to see a lot more of this and we’re seeing the time from finding something to making it a serious hack getting ever smaller,” says Hope.

Fingers on the pulse of cybercrime: biometrics using fingerprints and iris scans could replace passwords but biological defects mean there are limitations

With each new threat we’re told we should probably change our passwords. If you’re diligent, you might have done so several times in the past few months and, chances are, you now can’t remember any of them. Yet most of us probably panic briefly and then do nothing.

Of all the risks out there, our laziness might be our biggest vulnerability.

The passwords we think up are usually put through a process called cryptographic hashing before they are stored. For example, “password1” becomes “520d3142a140addb8be7d858a7e29e15”. This process can’t be reversed, but it doesn’t matter.

Each major password leak, such as the recent eBay hack that compromised 145 million accounts, adds more passwords to the crackers’ “dictionary”.

“Their dictionaries are terabytes of [cryptographic] hashes. If you break into someone’s system you can just look the hashes up,” says Hope.

He demonstrates by Googling the hash “5d1208e6214e6b0d64bd67cac5681080d70577d2”. “I find a page that has about 40 different ways of storing ‘Beach123’ as a password,” he says. Each of the various different hashes are labelled according to the software used to create them. The same can be done for the seemingly more complex password, “\-pl,mko0”.

The software is improving, too. Cracking programmes that once only worked for passwords of 15 characters or fewer can now be used to attempt cracks on passwords of up to 55 characters. And the dictionaries are getting more complex. Technology news site Ars Technica reported recently on security experts building dictionaries from the entire contents of Wikipedia and electronic book collections, revealing passwords that included bible passages or famous phrases such as “in the beginning was the word” or “Harry Potter and the Deathly Hallows22” — meaning that even those of us coming up with longer passwords need to try harder.

“The challenge is to pick little-known passages; ‘to be or not to be’ is certain to be in the databases,” says White.

Experts also study social media to find common words used by particular groups. In cracking hashes leaked from Militarysingles.com experts “searched the microblogging service for a dozen or so terms that related to both the military and dating”, writes Ars reporter, Josh Dustin. They found new words, such as “hooah”, which helped crack even more passwords.

Most of us don’t make it this difficult. “We are our own worst enemy,” says White. “People tend to reuse common passwords across several sites so cryptography rarely comes into play. In most cases it’s simply a matter of running through a short list of popular passwords in order to compromise a new set of user accounts. Researchers point out that the top 10,000 passwords are used by 98.8 per cent of all users.”

“If you use the same password in more than one place, you have a problem,” adds Elazari. “Organisations have made passwords requirements more complicated. People have one that works, so they use it all over the place.’

So why are we still using passwords?

“Password is king because it’s cheap,” says (ICC)2’s Davis. “It only takes a simple bit of code to have a password log-in, it’s easy to use and everybody gets it... 20 per cent of the population can’t use biometrics based on iris scans because of biological defects — there are real limitations compared with passwords.”

“The take-home message is that people are wise to choose long, random passwords using both letters and numbers, and to use a different password on every website,” says White. He and Hope both recommend using password managers such as 1password or Dashlane, which generate and save super-strong passwords for you.

Elazari also recommends using two-step verification wherever possible. This adds an extra layer of security (available on Facebook and PayPal for example) requiring a code generated by an app on your phone or sent to you by SMS to get into accounts.

Yet she thinks there’s more that organisations themselves can do. “Cyber criminals are extremely organised. They collaborate and share source codes and techniques. Financial organisations are not traditionally collaborative but they should share intelligence and work with people who have one foot in the underground as it will save money,” she says.

“In Silicon Valley there is a bounty programme in which financial incentives are offered for private hackers and security researchers who find bugs, to encourage them to report them responsibly. Only if we offer incentives will we lure people into doing the right thing.” Meanwhile, go and change your passwords.